The dropper creates two in-memory executables: /memfd:tgt, a harmless cron binary, and /memfd:wpn, a rootkit loader. The loader evaluates the environment, executes additional payloads, and prepares the system for rootkit deployment.
A temporary script, script.sh, is executed from /tmp to finalize the deployment of the PUMA kernel rootkit module. The rootkit embeds Kitsune SO to facilitate userland interactions, ensuring a seamless and stealthy infection process.
The kernel module’s main features include elevating privileges, hiding files and directories, evading detection by system tools, implementing anti-debugging techniques, and enabling communication with command-and-control (C2) servers, the researchers added.